💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › com_sec91.hac captured on 2021-12-04 at 18:04:22.

View Raw

More Information

-=-=-=-=-=-=-

 
                         United States General Accounting Office
  _____________________________________________________________________________
  GAO                    Testimony
 
                      Before the Subcommittee on Government Information and
                      Regulation, Committee on Governmental Affairs,
                      United States Senate
 
________________________________________________________________________
  For Release            COMPUTER
  on Delivery            SECURITY
  Expected at
  1:00 p.m. EST
  Wednesday,
  November 20, 1991
 
 
 
 
                         Hackers Penetrate DOD
                         Computer Systems
 
 
 
                         Statement of
                         Jack L. Brock, Jr. Director
                         Government Information and Financial Management
                         Information Management and Technology Division
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  GAO/T-IMTEC-92-5
_____________________________________________________________________

 
 
 
 
 
 
          Mr. Chairman and Members of the Subcommittee:
 
          I am pleased to participate in the Subcommittee's hearings on
          computer security.  At your request, our work focused on hacker
          intrusions into Department of Defense (DOD) unclassified,
          sensitive computer systems during Operation Desert Storm/Shield.
          My testimony today is based on our review of intrusions by a
          group of Dutch hackers into Army, Navy, and Air Force computer
          systems.  In particular, we conducted a detailed review of the
          hacker intrusions and system administration responsibilities at
          three DOD sites.  While our focus was on unclassified, sensitive
          systems, some of the systems penetrated by this group of hackers
          did not contain sensitive information.
 
          The government faces increased levels of risk for information
          security because of greater network use and computer literacy,
          and greater dependency on information technology overall.  For
          years hackers have been exploiting security weaknesses of systems
          attached to the Internet--an unclassified network composed of
          over 5,000 smaller networks nationwide and overseas and used
          primarily by government and academic researchers.  Their
          techniques have been publicized in hacker bulletin boards and
          magazines, and even in a bestseller, The Cuckoo's Egg written by
          Clifford Stoll.  Hackers, however, continue to successfully
          exploit these security weaknesses and undermine the integrity and
          confidentiality of sensitive government information.
 
          Between April 1990 and May 1991, computer systems at 34 DOD sites
          attached to the Internet were successfully penetrated by foreign
          hackers.  The hackers exploited well-known security weaknesses--
          many of which were exploited in the past by other hacker groups.
          These weaknesses persist because of inadequate attention to
          computer security, such as password management, and the lack of
          technical expertise on the part of some system administrators--
          persons responsible for the technical management of the system.
 
          DUTCH HACKERS PENETRATE
          -----------------------
          DOD COMPUTER SYSTEMS
          --------------------
          Between April 1990 and May 1991, computer hackers from the
          Netherlands penetrated 34 DOD sites.  DOD officials, however, are
          still unable to determine the full scope of the problem because
          security measures for identifying intrusions are frequently
          lacking.  At many of the sites, the hackers had access to
          unclassified, sensitive information on such topics as (1)
          military personnel--personnel performance reports, travel
          information, and personnel reductions; (2) logistics--
          descriptions of the type and quantity of equipment being moved;
          and (3) weapons systems development data.
 
          Although such information is unclassified, it can be highly
          sensitive, particularly during times of international conflict.
          For example, information from at least one system, which was

 
 
 
 
 
 
          successfully penetrated at several sites, directly supported
          Operation Desert Storm/Shield.  In addition, according to one DOD
          official, personnel information can be used to target employees
          who may be willing to sell classified information.  Further, some
          DOD and government officials have expressed concern that the
          aggregation of unclassified, sensitive information could result
          in the compromise of classified information.
 
          Hackers Exploit Well-Known
          --------------------------
          Security Weaknesses
          -------------------
          The hackers generally gained access to the DOD computer systems
          by travelling through several networks and computer systems.
          Using commercial long-distance services, such as Tymnet, the
          hackers weaved their way on the Internet through university,
          government, and commercial systems, often using these sites as
          platforms to enter military sites.
 
          The hackers then exploited various security weaknesses to gain
          access into military sites.  The most common weaknesses included
          (1) accounts with easily guessed passwords or no passwords, (2)
          well-known security holes in computer operating systems, and (3)
          vendor-supplied accounts--privileged accounts with well-known
          passwords or no passwords at all that are used for system
          operation and maintenance.  Once the hackers had access to a
          computer at a given site, access to other computers at that site
          was relatively easy because the computers were often configured
          to trust one another.
 
          At several sites the hackers exploited a Trivial File Transfer
          Protocol#1 (TFTP).  Some versions of this program had a well-
          known security hole that allowed users on the Internet to access
          a file containing encrypted passwords without logging into the
          system.  Once the hackers accessed the password file, they (1)
          probed for accounts with no passwords or accounts where the
          username and password were identical, or (2) downloaded the
          password file to another computer and ran a password cracking
          program--a program that matches words found in the dictionary
          against the encrypted password file.  Finally, the hackers
          entered the system, using an authorized account and password, and
          were granted the same privileges as the authorized user.
 
          At two of the sites we visited the hackers were able to enter the
          systems because vendor-supplied accounts were left on the system
          with a well-known password or with no password at all.  Operating
          systems and software are often delivered to users with certain
          accounts necessary for system operation.  When delivered, these
 
          _________________________________________________________________
          1 TFTP is a file transfer program that permits the copying of
          files without logging in.
 
                                          3

 
 
 
 
 
 
          accounts--some of which include system administrator privileges
          that allow them to do anything on the system without restriction-
          -are often unprotected or are protected with known passwords, and
          are therefore vulnerable until the password is changed.
 
          Hackers Established
          -------------------
          Methods For Reentry
          -------------------
          The majority of the hackers' activities appeared to be aimed at
          gaining access to DOD computer systems and then establishing
          methods for later entry.  In many of the intrusions, the hackers
          modified the system to obtain system administrator privileges and
          to create new privileged accounts.  For example, at some sites
          where the hacker entered the system using a vendor-supplied
          password, the hackers ran a program that elevated the privileges
          of the account and then erased evidence of the intrusion by
          removing the program.  The hackers then created new privileged
          accounts with passwords known only to them and that blended in
          with the sites' naming conventions, making detection more
          difficult.
 
          While there was little evidence that the hackers destroyed
          information, in several instances the hackers modified and copied
          military information.  In a few cases, the hackers stored this
          information at major U.S. universities.  They modified system
          logs to avoid detection and to remove traces of their activities.
          The hackers also frequently browsed directories and read
          electronic messages.  In a few cases, they searched these
          messages for such key words as military, nuclear, weapons,
          missile, Desert Shield, and Desert Storm.
 
          Agencies' Response
          ------------------
          to the Incidents
          ----------------
          In most cases, system administrators did not identify the
          intrusion, but were instead notified of the intrusion by
          university, contractor, or DOD officials.  Once the system
          administrators were notified, they usually secured their system--
          such as changing the password of a vendor-supplied account.  In a
          few cases, however, the sites left the vulnerability open
          temporarily in an effort to determine the intruder's identity.
          At one site we visited where this was done, the intruders' access
          to sensitive information was contained, and coordinated with law
          enforcement agencies.
 
          Only one of the three military services had written procedures
          for incident handling prior to the intrusions.  Since the
          intrusions, however, the other two services have established
          written procedures.  Despite the lack of procedures, at two of
          the sites we visited security personnel prepared an incident
 
                                          4

 
 
 
 
 
 
          report after they were notified about the intrusion.   In
          addition, one site we visited established computer hacker
          reporting procedures for their organization.  They also included
          security tips, such as changing default passwords, using
          randomly-selected passwords, and maintaining audit trails.
 
          HACKER INTRUSIONS HIGHLIGHT
          ---------------------------
          INADEQUATE ATTENTION TO
          -----------------------
          COMPUTER SECURITY
          -----------------
          The security weaknesses that permitted the intrusions and
          prevented their timely discovery highlight DOD's inadequate
          attention to computer security.  Poor password management,
          failure to maintain and review audit trails, and inadequate
          computer security training all contributed to the intrusions.
 
          DOD directives and military service regulations and instructions
          require both adequate computer security training for those
          responsible for systems, and audit trails--records of system
          activities--that are reviewed periodically and detailed enough to
          determine the cause or magnitude of compromise.  In addition, the
          military services require password management procedures.  The
          intrusions, however, indicate that these requirements were not
          always followed.
 
          Poor password management--easily-guessed passwords and vendor-
          supplied accounts whose password had not been changed--was the
          most commonly exploited weakness contributing to the intrusions,
          including those at each of the sites we visited.   At one site we
          visited the hacker exploited a vendor-supplied account, left on
          the system without a password, that in turn provided system
          administrator privileges.
 
          In addition, officials also noted that failure to maintain or
          periodically review audit trails was a key reason why most system
          administrators were unable to detect the intrusions or determine
          how long their system had been compromised.  For example, few of
          the 34 sites whose systems were penetrated were able to identify
          or verify the intrusions.
 
          Several officials stated that system administration duties are
          generally part-time duties and that administrators frequently
          have little computer security background or training.  At one
          site, for example, the system administrator had little knowledge
          of computers and system administrator responsibilities.  In
          addition, with the exception of a brief overview of computer
          security as part of the introductory training for the system, the
          system administrator had not received any computer security
          training.  Moreover, after the intrusion occurred, the newly
          appointed system administrator did not receive any additional
 
                                          5

 
 
 
 
 
 
          computer security training and did not know the proper security
          reporting chain.
 
          The security weaknesses that I have described here today have
          been and continue to be exploited by various hacker groups.  Two
          years ago we issued a report, Computer Security:  Virus
          Highlights Need for Improved Internet Management, (GAO/IMTEC-89-
          57), highlighting some of the same weaknesses--poor password
          management and system administrators who lacked the technical
          expertise to deal with security problems--that we discussed here
          today.  In addition, numerous Computer Emergency Response Team
          (CERT) security advisories, available to anyone on the Internet,
          have addressed these weaknesses.  Yet, despite these warnings,
          these security weaknesses continue to exist.  Without the proper
          resources and attention, these weaknesses will continue to exist
          and be exploited, thus undermining the integrity and
          confidentiality of government information.
 
          This concludes my remarks.  I will now answer any questions you
          or members of the Subcommittee may have concerning these issues.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                          6

Downloaded From P-80 International Information Systems 304-744-2253